From 3ebc4903d8fdc317c4a881c5b6b0edcd802ab3f1 Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 24 Jan 2017 14:37:48 +0000 Subject: [PATCH 1/5] automatically add reneg-sec 0 to client and server configs when otp is being used to avoid connection resetting every hour. Edit docs to make clear that a more secure cipher needs to be selected to use with otp to avoid the connection being reset every 64 MB of data --- bin/ovpn_genconfig | 2 ++ bin/ovpn_getclient | 4 ++++ docs/otp.md | 4 +++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index a8b595f..adee76f 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -161,6 +161,7 @@ OVPN_EXTRA_CONFIG='' # Parse arguments while getopts ":a:e:C:T:r:s:du:cp:n:DNmf:tz2" opt; do + echo $opt case $opt in a) OVPN_AUTH="$OPTARG" @@ -329,6 +330,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf" if [ -n "${OVPN_OTP_AUTH:-}" ]; then echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf" echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf" + echo "reneg-sec 0" >> "$conf" fi echo -e "\n### Extra Configurations Below" >> "$conf" diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index 6a80d29..76f8ffb 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG if [ -n "$OVPN_COMP_LZO" ]; then echo "comp-lzo" fi + + if [ "$OVPN_OTP_AUTH" = "1" ]; then + echo reneg-sec 0 + fi } dir="$OPENVPN/clients/$cn" diff --git a/docs/otp.md b/docs/otp.md index ad2ce86..230c27e 100644 --- a/docs/otp.md +++ b/docs/otp.md @@ -11,7 +11,9 @@ and use this image to generate user configuration. In order to enable two factor authentication the following steps are required. -* Generate server configuration with `-2` option +* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data + +* Generate server configuration with `-2` and `-C $CIPHER` options docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 From fbdc8e32c6336ac8daba99fffbf61ac0d3a2caad Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 24 Jan 2017 14:40:48 +0000 Subject: [PATCH 2/5] remove debugging extra --- bin/ovpn_genconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index adee76f..0fa5792 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -161,7 +161,6 @@ OVPN_EXTRA_CONFIG='' # Parse arguments while getopts ":a:e:C:T:r:s:du:cp:n:DNmf:tz2" opt; do - echo $opt case $opt in a) OVPN_AUTH="$OPTARG" From a20c63893e4d0ca3478dcf35d56f051364c03b26 Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 24 Jan 2017 14:42:51 +0000 Subject: [PATCH 3/5] modify command in documentation too --- docs/otp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/otp.md b/docs/otp.md index 230c27e..edbd156 100644 --- a/docs/otp.md +++ b/docs/otp.md @@ -15,7 +15,7 @@ In order to enable two factor authentication the following steps are required. * Generate server configuration with `-2` and `-C $CIPHER` options - docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER * Generate your client certificate (possibly without a password since you're using OTP) From c9ada1eac45150f3a5d5c593b08b753938ee40f3 Mon Sep 17 00:00:00 2001 From: Luke Date: Wed, 25 Jan 2017 14:06:19 +0000 Subject: [PATCH 4/5] reneg-sec needs to be set to 0 when using otp because otherwise the connection will be ask for a otp every hour. Tests added to make sure it's there when otp is enabled --- test/tests/otp/run.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index 4cb53ca..bea67a8 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' # Configure server with two factor authentication docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2 +# Ensure reneg-sec 0 in server config when two factor is enabled +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config' + # nopass is insecure docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass @@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt # Override the auth-user-pass directive to use a credentials file docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn +# Ensure reneg-sec 0 in client config when two factor is enabled +grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config' + # # Fire up the server # From ef8221372da69a704f6eb9b2b20190a8b9b90e6b Mon Sep 17 00:00:00 2001 From: Luke Date: Thu, 26 Jan 2017 17:53:53 +0000 Subject: [PATCH 5/5] change test to bring in line with others --- bin/ovpn_getclient | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index 76f8ffb..8efb827 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -95,7 +95,7 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG echo "comp-lzo" fi - if [ "$OVPN_OTP_AUTH" = "1" ]; then + if [ -n "$OVPN_OTP_AUTH" ]; then echo reneg-sec 0 fi }